The percentage of targeted attacks aimed at small businesses doubled in the first half of 2012, an indication that hackers are dedicating more resources to what they see as the most vulnerable marks, a major security vendor said.
In the first six months of the year, more than a third of targeted attacks on businesses were pointed toward companies with fewer than 250 employees. That was twice the percentage of attacks aimed at similar sized companies at the end of 2011, Symantec said in its mid-year Intelligence Report.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
A targeted attack is one that's tailored to a specific company. Cyber criminals customize malware to particular vulnerabilities and use information gathered publicly -- or stolen from other companies -- to create emails with malicious attachements that have a higher chance of being opened by employees. That type of social engineering has proved successful despite corporate efforts to bolster security training and warn workers away from opening potentially dangerous emails.
Companies in the defense industry are the top targets of such attacks, followed by chemical and pharmaceutical firms and manufacturing companies, respectively. Large companies with more than 2,500 employees remain the most popular targets, however, accounting for 44 percent of all targeted attacks in the first half of the year, Symantec says.
Hackers are shifting resources toward small companies because they often partner with large businesses in fulfilling major contracts. Because smaller companies can be the weakest link in the chain, cyber criminals use them to gain information they can use to penetrate the defenses of their larger partners.
"They (small businesses) are not as prepared, because they don't think they have to be, and that's left them vulnerable," Kevin Haley, director of Symantec's Security Response unit, said Friday.
Small businesses also lack the money of larger companies to buy expensive technology that can bolster defenses. "SMBs (small and medium-sized businesses) tend not to have the resources to implement the same types of security programs large enterprises do," Eric Maiwald, an analyst for Gartner, said in an interview via email.
Small businesses can greatly improve their chances of fending off attacks by just following basic best practices, such as having a process in place to ensure all software is up-to-date and patched. In general, hackers go after known vulnerabilities, so having the latest version of an application goes a long way towards protecting company data.
"They don't have to be genius hackers, because the basic steps to protect themselves are not being taken by a lot of small businesses," Haley said.
In terms of the number of targeted attacks, Symantec blocked an average of 58 a day aimed at small businesses in the first half of the year. Overall, the number of daily attacks on all businesses increased about 24 percent to around 154.
Read more about malware/cyber crime in CSOonline's Malware/Cybercrime section.